CCNP ROUTE Study – EIGRP Route Filtering

There are many reasons why you would want to implement route filtering. A good example would be to prevent routes to transit networks being advertised to a branch router, because no host in the branch would ever need to send packets to a host in the transit network.

Filtering in EIGRP is configured using the distribute-list router subcommand, which can reference either a prefix list, an ACL or a route map to determine whether or not routes should be filtered, and in which direction and (optionally) on which interface.

Here’s our network for this lab:

The three networks attached to router WEST (represented by loopback interfaces) are the ones we will filter routes to, so that they do not appear in router EAST’s routing table. We’ll filter each route in turn using the distribute-list command plus a prefix list, an ACL and a route map.

Without any filtering, each route appears in the routing table of router EAST:

Example 1 – filter route to 10.0.1.0/24 using a prefix list:

IP prefix lists examine both the route prefix (subnet number) and the prefix length (subnet mask) for a match. IP prefix lists consist of a command with a sequence number and a permit/deny action. Route prefixes are matched by the command’s prefix/prefix length parameters and prefix lengths are matched by the optional ge (greater than or equal) and le (less than or equal) parameters. If neither ge or le is specified then the prefix length is matched exactly.

In our example we will use a prefix list to exactly match the route to 10.0.1.0/24 and deny it, and then to permit all other routes. First we create the IP prefix list:

Command sequence number 10 exactly matches the prefix/prefix length with a deny statement. Sequence 20 uses 0.0.0.0/0 to match all other prefixes and le 32 to match prefix lengths 0-32, which effectively means “match all other routes” and permit them.

We then configure EIGRP with a distribute-list command that references the prefix list and is applied outbound:

Example 2 – filter route to 10.0.2.0/24 using an ACL:

ACL’s use statements referencing an IP address and a wild card mask, followed by a permit/deny action. Remember that as with prefix lists you must also have a statement permitting the other networks that you don’t want to filter. So lets configure our ACL to deny 10.0.2.0/24:

access-list 1 deny 10.0.2.0 0.0.0.255
access-list 1 permit any

It’s worth noting at this point that you cannot have multiple distribute-list commands in your router configuration, and if we try to add our new one without removing the previous command, we get the following:

Example 3 – filter route to 10.0.3.0/24 using a Route Map:

Route Maps have many uses and consist of a set of commands that are processed sequentially. For the purposes of filtering routes in EIGRP we can use a route map that references either an ACL or a prefix list when looking for matches on routes to filter. In this example we’ll create a route map that matches the 10.0.3.0/24 route based on a simple ACL.

First we create the ACL with a single permit statement to match our route:

access-list 2 permit 10.0.3.0 0.0.0.255

Then we create our route map (named Filter-10.0.3.0/24, so we know what it does) with a deny statement that will match IP addresses based on access list 2. Note we also have a permit statement that when used without any match statements, means “match all” effectively permitting all other routes:

About Rich Bibby

Rich Bibby is a UK based Network Engineer, working mainly with Cisco, Juniper and Arista gear in the enterprise LAN, WAN and Data Centre space. Aside from route/switch/firewalling, he is interested in open source network monitoring and management tools, and exploring the possibilities that automation and programmability bring to networking.
Follow Rich on Twitter